• 22 May 2024
• •
• 5 min read

Data protection reform is coming (we think!)

What’s happening?

Whilst it has been in doubt for some time, indications are that data protection reform is coming and the UK Data Protection and Digital Information Bill will be enacted into law in coming weeks. Indeed on 17 May the Information Commissioner’s Office (ICO) posted a vacancy on its LinkedIn page for an interim CEO commenting “We want someone who is excited about making a substantial contribution to the ICO during a time of transformation. The Data Protection and Digital Information Bill will introduce reforms to replace our current governance model with a more traditional board structure, called the Information Commission.” 

What does it mean?

After much uncertainty it seems we now need to get to grips with the reforms as they really do look like they will be passed soon.

Whilst there may still be changes to the reforms before the Bill becomes an Act, our pick of the key reforms which will impact private organisations (there are various reforms relevant only to public bodies) are set out below (note the below is not an exhaustive summary of all of the changes):

SRI not DPO – the role of the data protection officer (DPO) is expected to be replaced with a new role of senior responsible individual (SRI). Unlike a DPO, a SRI must be a member of senior management (as opposed to reporting to, but being independent of, senior management in the case of DPOs). The duties of the SRI are similar to those of the DPO but less prescriptive.

SARs – the reforms will clarify what is understood to be the case already that controllers need only conduct “reasonable and proportionate” searches in response to a subject access request (SAR). Also there is a change to terminology, organisations could previously refuse to deal with a SAR which was “manifestly unfounded or excessive” whereas the new terminology is “vexatious or excessive” with the burden of proof resting with the controller. There are examples of a SAR which is vexatious, including those intended to cause distress, requests “not made in good faith” or which are “an abuse of process”. In practice it is not expected that these changes will materially reduce the SAR burden organisations face.

ROPA – organisations, whether acting as controllers or processors, will only need to keep records of processing activities (ROPAs) where a processing activity is “likely to result in a high risk to the rights and freedoms of individuals” which is a narrower scope than under current data protection law.  The continuing requirement to comply with other UK GDPR requirements, like accountability and transparency, are likely to limit the effect of this change as organisations will still need to map and record data processing activities to remain compliant.

Complaints – the reforms require controllers to put in place a formal and transparent process to facilitate data subject complaints. Coupled with this there are provisions entitling the Information Commission (as the ICO will become known) to refuse to deal with complaints which have not been considered by controllers in accordance with this process.

DPIA – again we have a change of terminology here and organisations will no longer need to conduct data protection impact assessments (DPIAs) and will instead complete an “assessment of high risk processing” only where (as the name suggests) processing is high risk. 

UK representative – the territorial scope of the UK GDPR means it could apply to organisations located outside of the UK but under the reforms controllers established outside of the UK who are subject to the UK GDPR no longer need to appoint a UK representative. 

Cookies – it’s probably fair to say everyone is suffering cookie fatigue so it’s not surprising cookies have been the subject of reform. The reforms will expand the types of cookies which can be used without user consent (currently this only applies to strictly necessary cookies which have been clarified in the Bill to include authenticating identity and preventing/detecting fraud and technical faults). Post-reform cookies collecting data for service improvement analytics, user preferences and security patching will not require consent but users will need to be given information about those cookies and an opportunity to opt out (so cookie policies and banners will still be required).  Also noteworthy for charities and not-for-profit organisations is the extension to them of the soft opt-in for direct marketing. 

Legitimate interests – the reforms will introduce a list of non-exhaustive examples of types of processing that may (the controller will still need to ensure its interests are not outweighed by the data subject’s rights and interests) be considered necessary for the purposes of a ‘legitimate interest’. These include processing that is necessary for direct marketing purposes, intra-group transmission of personal data for internal administration purposes and processing which is necessary to ensure the security of network and information systems. In the updated explanatory notes to the Bill it is confirmed that any legitimate commercial processing activity can be considered a legitimate interest, provided the processing is necessary, and appropriate consideration is given to the potential impact of the processing on data subjects. 

The ICO – the Information Commissioner will be replaced by the Information Commission which will act as an independent body corporate with new reporting obligations to the government. The Secretary of State will also have greater oversight (and influence?) over the Information Commission.

PECR – The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) govern both cookies and direct electronic marketing, the latter being the main target of ICO enforcement action in recent years. To date PECR fines have been fairly modest compared to the UK GDPR but that is set to change as PECR fines are being brought in line with the UK GDPR (so fines could be up to £17.5 million or 4% of the relevant organisation’s global turnover).

Looking ahead

The intention of the reforms is to make it easier to comply with data protection law in the UK, which we are able to do post-Brexit. Whether the reforms really achieve this is up for debate, especially if organisations are also subject to the EU GDPR as any divergence of the two sets of legislation will cause a compliance headache (even more so if reform affects the European Commission’s UK-EU adequacy decision).

If you want to read about the reforms in more detail the latest keeling schedules can be read here, but note that these are expected to be updated once the Bill has completed its final stages through parliament as they have not been updated since May 2023.

What should we do now?

It is important to note that even if the Bill is passed before the end of June as expected,  very little will happen immediately. Most of the provisions need further parliamentary action to be brought into effect and time will be given to organisations to prepare so it is expected full effect will not be given to the Act for between 10 and 15 months.

That said, we should all be monitoring the passage of the Bill and be alive to the likely need to start making changes soon. Our takeaway right now would be to ensure your organisation is complying with PECR (which it should be doing anyway) in anticipation of the possibility of much higher fines in future.

UPDATE: Since the date of this article the Prime Minister has called a General Election on 4^th July and it has been confirmed the Bill will not be passed before parliament is dissolved. Watch this space for what that means for data protection reform in the future!

Our data protection team has many years of experience in advising organisations on their compliance with UK data protection law. To speak to one of the team you can get in touch here or call us on 0800 2800 421. 

If you have not received this article directly, but would like to receive articles and data protection news alerts from Trethowans, please email [email protected].